securekomodo:~#

hacker of things

Abstract: Companies no longer need to focus on letting their IT departments drive the technology of the business. Employees demand the most out of their equipment, and need access to corporate networks and applications from anywhere, on any device. With the proper implementation, BYOD can not only reduce cost and generate revenue, but can create a more productive and fulfilled workforce.

BYOD (Bring Your Own Device):

BYOD (Bring Your Own Device) has been a trend in industry for quite some time. With the launch of new mobile devices like smartphones or tablets that can run a fully functional “enterprise-ready” version of Windows 8, the pressures of adopting a BYOD workplace are becoming more realistic for today’s corporate culture. What started as pagers or beepers, turned into a new phenomenon of communication devices consisting BlackBerrys, or Windows Phone devices, where employees could now stay connected with work, anywhere they go. These mobile devices were primarily used for voice, SMS, and email, and most all other capabilities were locked down and disabled. Senior executives now wanted to use iPhones instead of BlackBerrys, and since the birth of the iPhone craze, enterprise mobility has shifted dramatically, creating a big concern in terms of information security. IT departments driving technology is a thing of the past. Now, the end-user is staying on the forefront of technology with faster, more ‘mobile-ready’ devices. It is not just smartphones or personal computers either, multiple platforms are now being introduced beyond that of the initial scope of BYOD concepts. Employees would be leveraging devices such as tablets, ultra books, cloud services, and more… The fact is, people want to use different products then what their companies provide. By letting employees purchase their own personal device they are most comfortable with, companies have an opportunity to save money adopting a BYOD corporate model while still maintaining the level of security that is imperative to sustain in such an information driven society like today.

Many businesses today try to prohibit the personal device use in an enterprise environment. The current structure focuses on the idea that allowing personal-device access only increases the possibility of putting valuable corporate data & applications at risk. And it is with that risk, that companies are forced to maintain a standard operating system image across all workstations in an organization, and keeping mobile restricted to basic features like phone, SMS, and e-mail. This restrictive solution has its own set of difficulties and challenges, but it is with that type of strictly controlled workstation policy that could potentially create an even higher security risk for the IT infrastructure environment. To assume that by “black-listing” all non-corporate approved devices will create a more secure environment is naive to say the least. Employees are diligent, and the will find a way to end up using their own devices anyway, unmonitored and not unmanaged by any security policies in place.

Organizations’ policies on employees using their own personal computers or laptops for work purposes

Microsoft recently conducted a Trust in Technology survey (figure above) and found that that “53% of organizations officially condone BYOD practices. Some (20%) provide some form of subsidy to employees who use their own PCs or laptops, but we can assume the subsidy is less than the organizations traditionally spend to acquire the same hardware. A third of companies (33%) allow BYOD, but do not subsidize it at all, so the savings are more significant” (Jones). These statistics show that companies are considering personally-owned mobile devices as opposed to maintaining a standard workstation platform for all business users. While it is clear that BYOD is trending in industry, there are still obstacles that need to be overcome before a company can support this new business model.

Timely preparation is imperative with considering such a change as BYOD. Understanding the risk tolerance level and impact of your organization will help define a clear starting point. One can utilize Gartner’s four-point scale for assessing CIO’s attitudes toward IT consumerization (defensive, reluctant, opportunistic, and aggressive).The graphic below illustrates this scale in relation to an implementation of BYOD.

A company can choose where they fall on the spectrum by assessing the risk categories with each topic area (device choice, policies, applications, & support). Executives would need to cater this chart to their own organization. Making sure that all areas are thoroughly considered. It is with this carefully crafted preparation, that a successful plan can emerge to start building a BYOD environment where the needs of the company are balanced with the needs of the employee. If the program falls too far to the left (Defensive), employees may not want to participate in it. If the program falls too far to the right (Aggressive), it may put the company at risk with security concerns.

There are many benefits and risks when allowing personally-owned devices to be used for work, one of which has shown to be major factor in the decision making for stakeholders. Employee satisfaction is one of the major benefit because when employees are able to pick their own device, the will enjoy working with it, using it, and spending time on it. It is with that curiosity and sense of ownership that they are likely to require less technical support for the company IT staff. The satisfaction of employees can trickle down into other benefits like reduced costs, and increases in company productivity. In the event technical support is needed, users have shown to be more appreciative with the support call (Slottow). This is because they feel as though the technical help is more personal, rather than just supporting the business. This satisfaction directly impacts productivity because when an employee is happy with their technology, they spend more time on it, which means more work gets done, in less time. Before a BYOD implementation, it was a difficult and daunting task to be connected with work while at home. The employee would start by having to bring their work laptop home along with any other required business equipment. In order to get connected to the work, they would have to utilize some sort of VPN technology to access the company network. And then once on the VPN, they would still have limited functionality to what could be performed from their house, then what could be performed if they were actually sitting in their office. This slow process takes valuable time away from the employee, and the business. Allowing the employee to use a single device for all their needs could solve this time consuming process to stay connected. With BYOD, the employee is consistently working with the same device, whether at home or in the office. There is no need to VPN because it is the same secured process to access the company network, from any Wi-Fi or 4G connection. The employee no longer has to carry around multiple devices because all their business and personal needs are met with a single device. That is where the real value lies with BYOD, and with a well-prepared program, shifting ownership to mobile devices will show success and long term sustainability for any organization.

The concern centered on security of data is one of the greatest shortcomings of BYOD. There is always an inherited security risk when dealing with commingled data. The threat of theft or loss of valuable company data should be high priority when setting up a secured infrastructure focused around mobile access, especially since devices will be used in more locations outside of work. It goes without saying that most company’s IT infrastructure needs to be “upgraded” to allow for such a change in their IT corporate model. Security mechanisms like firewalls, intrusion detection systems, encrypted communications, remote proxy servers, two-factor authentication, and fault tolerance must be installed or upgraded to accommodate secured use for personal devices. There are a two different technology solutions to secure a BYOD platform that are popular today. Mobile Device management (MDM) uses what is nicknamed “Duo Persona” which is the ability for mobile devices to segment the OS into Personal (open) and Work (encrypted) partitions as the figure below demonstrates.

Figure displaying how MDM seperates “work” and “personal” containers on a single device

These devices can be selectively wiped to only remove work data while preserving the user’s personal data. Essentially, the work related information remains completely separate from the personal data, and in the event the IT support needs to “wipe” the drive, only the work information is reset, leaving the employees personal partition alone. And in the event the device is lost or stolen, the work partition is encrypted which keeps company data secured from unauthorized access. A second security solution is Mobile Application Management (MAM), which secures on an app-by-app basis as opposed to MDM which enforces security and restriction policies on the entire device, MAM secures each application individually (see figure below), keeping each app in its own encrypted container. Each app features the same security standards like data encryption, password authentication, and secured wiping of the app. With this solution, the user is able to keep their personal data separate from work data on a single device, with relative ease. The user would get these “work approved” apps from a corporate app store that would provide a single place for users to download all the secure-apps (Citrix). The advantage that MAM has over MDM, is that as the user decides to switch between multiple devices, his/her apps are instantly available on any device they use. This would ensure complete productivity in almost any scenario.

As businesses and corporations continue to expand geographically, and the technology sector continues to develop more powerful, mobile devices, it is natural for the two areas to merge. BYOD is a natural evolution in business communications. It eliminates time boundaries of the normal 9-5 workday, allowing employees to be productive at anytime, anywhere. Instead of a user having to call of work because of some time commitment, it enables them to still remain connected with their mobile device to ensure business continuity at all times of the day. It is a new and demanding workforce these days, and being connected 24×7 is becoming the new normal for corporate culture. While it is true that there are many initial risks in developing a BYOD platform, early adaptations have already proven that readjusting the corporate security model to tailor toward mobile device access can reduce risk, and actually return a profit. Stewart Brand, a well-respected writer and speaker in the tech industry once said “Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road”, and BYOD is what is rolling out now. More and more businesses are continuing to make this transition, and it is getting to a point where a company must make the choice to adapt to the changing culture, or be left on the road behind.